W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 19 Jan 2015 13:43:58 +0100
Message-ID: <CADnb78j0KNpvabY21QJOCV58aXhCYj-uy4_YveQemv45Gdvpkg@mail.gmail.com>
To: Paul Libbrecht <paul@hoplahup.net>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
On Mon, Jan 19, 2015 at 1:35 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
> You got it right: we need to teach users to differentiate.
> And that could be done by UIs.
> Users' banks, and most financial statements sites, are probably identified
> by an EV cert… that's quite a difference to a startSSL cert in terms of UIs
> nowadays.
> That difference would be enough already to my taste.

No way. That is way too subtle a distinction. Users are not going to
remember what type of certificate a site used and based on that decide
to not work with it next time around (if it changed). Not to mention
that this would still leak all your credentials given that those are
scoped by origin.

Received on Monday, 19 January 2015 12:44:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC